Edit tour
Windows
Analysis Report
Purchase Order No.5817-0001142025.bat.exe
Overview
General Information
| Sample name: | Purchase Order No.5817-0001142025.bat.exe |
| Analysis ID: | 1592409 |
| MD5: | fb2be2965fb21d400341518012ad4867 |
| SHA1: | fda727494d927e9b5919ca2b32f71a1d479f540c |
| SHA256: | 93e42636e6f59d02d0a756054fdadc37644c1c32da55cda0185e7923a8e42126 |
| Tags: | batexeuser-abuse_ch |
| Infos: |   |
 | |
Detection
Remcos, GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Detected Remcos RAT
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected GuLoader
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Sigma detected: New RUN Key Pointing to Suspicious Folder
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
Purchase Order No.5817-0001142025.bat.exe (PID: 348 cmdline: "C:\Users\ user\Deskt op\Purchas e Order No .5817-0001 142025.bat .exe" MD5: FB2BE2965FB21D400341518012AD4867) - Purchase Order No.5817-0001142025.bat.exe (PID: 6720 cmdline:
"C:\Users\ user\Deskt op\Purchas e Order No .5817-0001 142025.bat .exe" MD5: FB2BE2965FB21D400341518012AD4867)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
{"Host:Port:Password": ["linktreewealth.zapto.org:3980:0", "linktreewealth.zapto.org:3981:1", "linktreewealthy.zapto.org:3980:0"], "Assigned name": "Manifest", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-0B1XIG", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
Stealing of Sensitive Information | |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-16T05:12:00.888974+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.5 | 49974 | 109.99.162.14 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_004069DF | |
| Source: | Code function: | 0_2_00405D8E | |
| Source: | Code function: | 0_2_00402910 | |
Networking | |
|---|
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | Windows user hook set: | Jump to behavior | ||
| Source: | Code function: | 0_2_00405846 | |
E-Banking Fraud | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Process Stats: | ||
| Source: | Code function: | 0_2_00403645 | |
| Source: | Code function: | 0_2_00406DA0 | |
| Source: | Code function: | 0_2_6FBB1BFF | |
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00403645 | |
| Source: | Code function: | 0_2_00404AF2 | |
| Source: | Code function: | 0_2_004021AF | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File written: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Data Obfuscation | |
|---|
| Source: | File source: | ||
| Source: | Code function: | 0_2_6FBB1BFF | |
| Source: | Code function: | 0_2_6FBB30EE | |
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | API/Special instruction interceptor: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_004069DF | |
| Source: | Code function: | 0_2_00405D8E | |
| Source: | Code function: | 0_2_00402910 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-4371 | ||
| Source: | API call chain: | graph_0-4599 | ||
| Source: | Code function: | 0_2_6FBB1BFF | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00403645 | |
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | Mutex created: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 Registry Run Keys / Startup Folder | 1 Access Token Manipulation | 11 Masquerading | 11 Input Capture | 31 Security Software Discovery | Remote Services | 11 Input Capture | 11 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 12 Process Injection | 1 Virtualization/Sandbox Evasion | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 1 Remote Access Software | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 Registry Run Keys / Startup Folder | 1 Access Token Manipulation | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | 1 Clipboard Data | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 1 DLL Side-Loading | 12 Process Injection | NTDS | 3 File and Directory Discovery | Distributed Component Object Model | Input Capture | 2 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | 23 System Information Discovery | SSH | Keylogging | 113 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 36% | Virustotal | Browse | ||
| 61% | ReversingLabs | Win32.Backdoor.Remcos |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 61% | ReversingLabs | Win32.Backdoor.Remcos | ||
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| linktreewealth.zapto.org | 0.0.0.0 | true | false | high | |
| teldrum.ro | 109.99.162.14 | true | false | high | |
| linktreewealthy.zapto.org | 0.0.0.0 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| false |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 109.99.162.14 | teldrum.ro | Romania | 9050 | RTDBucharestRomaniaRO | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1592409 |
| Start date and time: | 2025-01-16 05:09:09 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 31s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Purchase Order No.5817-0001142025.bat.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/10@3/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 05:11:56 | Autostart | |
| 05:12:04 | Autostart |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 109.99.162.14 | Get hash | malicious | GuLoader, Remcos | Browse | ||
| Get hash | malicious | GuLoader, Remcos | Browse | |||
| Get hash | malicious | Remcos, GuLoader | Browse | |||
| Get hash | malicious | GuLoader, Remcos | Browse | |||
| Get hash | malicious | Remcos, GuLoader | Browse | |||
| Get hash | malicious | Remcos, GuLoader | Browse | |||
| Get hash | malicious | Remcos, GuLoader | Browse | |||
| Get hash | malicious | Remcos | Browse | |||
| Get hash | malicious | Remcos, GuLoader | Browse | |||
| Get hash | malicious | Remcos, GuLoader | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| linktreewealth.zapto.org | Get hash | malicious | Remcos, GuLoader | Browse |
| |
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| teldrum.ro | Get hash | malicious | GuLoader, Remcos | Browse |
| |
| Get hash | malicious | GuLoader, Remcos | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader, Remcos | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| RTDBucharestRomaniaRO | Get hash | malicious | Mirai, Gafgyt | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | GuLoader, Remcos | Browse |
| ||
| Get hash | malicious | GuLoader, Remcos | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | GuLoader, Remcos | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Njrat, XRed | Browse |
| ||
| Get hash | malicious | DanaBot, PureLog Stealer, Vidar | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | PureCrypter, LummaC, LummaC Stealer | Browse |
| ||
| Get hash | malicious | PureCrypter, LummaC, LummaC Stealer | Browse |
| ||
| Get hash | malicious | PXRECVOWEIWOEI Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\nsb8AAB.tmp\System.dll | Get hash | malicious | GuLoader, Remcos | Browse | ||
| Get hash | malicious | GuLoader, Remcos | Browse | |||
| Get hash | malicious | Remcos, GuLoader | Browse | |||
| Get hash | malicious | GuLoader, Remcos | Browse | |||
| Get hash | malicious | Remcos, GuLoader | Browse | |||
| Get hash | malicious | Remcos, GuLoader | Browse | |||
| Get hash | malicious | Remcos, GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse |
| Process: | C:\Users\user\Desktop\Purchase Order No.5817-0001142025.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 174 |
| Entropy (8bit): | 3.3866534665095296 |
| Encrypted: | false |
| SSDEEP: | 3:rglsLlFmFWPlWlClDl5JWRal2Jl+7R0DAlBG45klovDl6ALilXIkqoov:MlsLlknlCb5YcIeeDAlOWAAe5q1v |
| MD5: | 014D5CBD4E44B8322F639C52820A2107 |
| SHA1: | BD1FC172606EB7B9E968858340758D675C58521C |
| SHA-256: | BAFFD9E1F798313CC3DD501136B374B90746133760E2500CD21CF3C8938E8589 |
| SHA-512: | A9ED15CF707D6208539848944A9C32C950465C54986908C6C3D9A188A0130ABEEFF815D1D16AD6E87B5EA6ECDBA14E693F2F959225CF5D208EA66704B90419E3 |
| Malicious: | true |
| Yara Hits: |
|
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\Purchase Order No.5817-0001142025.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 617221 |
| Entropy (8bit): | 7.756588513846525 |
| Encrypted: | false |
| SSDEEP: | 12288:UnPdMy8JGFmatdgxcG0F3F/eKZIhMznQJSeufSfk:EPdMvJn0tfZsMzReSck |
| MD5: | FB2BE2965FB21D400341518012AD4867 |
| SHA1: | FDA727494D927E9B5919CA2B32F71A1D479F540C |
| SHA-256: | 93E42636E6F59D02D0A756054FDADC37644C1C32DA55CDA0185E7923A8E42126 |
| SHA-512: | 4732A136C1E2E7E73F58296013A448EDCB528E2C97E664D8FFC145AE471BB323DC6F75431E611D4A2EB6A1966ED39AC772A2AFE8584063D1A531CEFEF870B89B |
| Malicious: | true |
| Antivirus: |
|
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\Purchase Order No.5817-0001142025.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 25 |
| Entropy (8bit): | 4.0536606896881855 |
| Encrypted: | false |
| SSDEEP: | 3:8+dB4WYiTNvn:8AbYiTNvn |
| MD5: | 08CA75DA54EB4810D18796C97F510A55 |
| SHA1: | 3D9B020193D16E7D0F5392EF7693A6C5C6D2531D |
| SHA-256: | E628D2EE9FE054256B42FFDEC449254437949DEB45B13354D515579CE3E0618E |
| SHA-512: | 46D71D69FDCBF9069E74C1176080637A1356E747FA1A1C852172CF0BB36F44ED7D741EB6DF029F333D690E500462DFC9EDEB8B4EB7BB9642C907B792F30DED9A |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\Purchase Order No.5817-0001142025.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 12288 |
| Entropy (8bit): | 5.805604762622714 |
| Encrypted: | false |
| SSDEEP: | 192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr |
| MD5: | 4ADD245D4BA34B04F213409BFE504C07 |
| SHA1: | EF756D6581D70E87D58CC4982E3F4D18E0EA5B09 |
| SHA-256: | 9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706 |
| SHA-512: | 1BD260CABE5EA3CEFBBC675162F30092AB157893510F45A1B571489E03EBB2903C55F64F89812754D3FE03C8F10012B8078D1261A7E73AC1F87C82F714BCE03D |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\Purchase Order No.5817-0001142025.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1239884 |
| Entropy (8bit): | 4.0042107461828635 |
| Encrypted: | false |
| SSDEEP: | 12288:6CRFMBOsWwHHzckVfAlmSDjY2nr2OrvS9CR:6CRPwHYkVfAYSvrnrZF |
| MD5: | F6A0F4C79300AEE752FC9FF33A1B1B4B |
| SHA1: | 85CDF54DE234B94F1B6574F36EDF583B4D8C817E |
| SHA-256: | CCCB8590505B9BB0566666585DD321AA42C0EDFCBF9335AE0C0A3E0D468AB30B |
| SHA-512: | 9D986B0FFBA43D08B5928E6632F026D2731B1F8E98A1E862094D866FE7E43BAC5F72068BE85F364CE6C41D73F3C7EE6B8F9DCD99BF3D0FF13D31C3E5529E178F |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\Purchase Order No.5817-0001142025.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 114454 |
| Entropy (8bit): | 1.2519787240577294 |
| Encrypted: | false |
| SSDEEP: | 768:RRDt23AKhN87PfNufvVxTfdx5U5Flf6VAETw:YEevVx2h |
| MD5: | F85E20AA1A28EEFFC89F744F6B6B67B3 |
| SHA1: | B61AEF131017C5605647983CE2D55769914BB104 |
| SHA-256: | C388ED22B7E44C0C3FDD6D064DD070DCA64CEA1E83D6151566641E7438C346ED |
| SHA-512: | EA89503F496B30DA5EAA74BB479007BB6B93463B775F16810A4391E79389A219398AC81DCCDD79C3F60E85DF77AA985E405BDF7B477C8F3217ECC3B7460BEE6A |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\Purchase Order No.5817-0001142025.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 310550 |
| Entropy (8bit): | 1.2527719188567612 |
| Encrypted: | false |
| SSDEEP: | 1536:CfvXvtPDO00Rz1DXs2sASdJwvyfnpZkL:klDO0MDRS9k |
| MD5: | 72FA348549D0BD9CE66E5F3EBA54DF3A |
| SHA1: | D5B4797D07374226CD8173964DF8753F4ABB9E6E |
| SHA-256: | 7F24A44B47D2C036AACE03D4F5EBEA053CED6ED06CE01ED70E6FD8AEE8211CC9 |
| SHA-512: | D375FC28BBA68A52E4C2CB97A9ADA416D38F29B21004F1853DC14ACF28CDE2A802D51FD66901D993DAA58E50D8C87FD2A8827482633B0B9874FF64F8442492B1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Purchase Order No.5817-0001142025.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 200302 |
| Entropy (8bit): | 4.6062914847515835 |
| Encrypted: | false |
| SSDEEP: | 3072:96wsWDv0yAoceF/ujFfMvZ1zxl17/4cUAhYTgq:92oF/+Mzv1ccXCt |
| MD5: | 5727BC0FF0B61A0D9DE62F83F4E72269 |
| SHA1: | EC82ECBC552E8C69A76FDF1AEBE0FFFE69E865F3 |
| SHA-256: | F386BA2EE555EE3733AEAE5641ABD2CA3E993CB513407CB602B45F1F8166D8DA |
| SHA-512: | 16052408E86A7411C5962A225EB07AD8F49DF1994D883B337A5B85319843A05D357CF05D01B0663B9DBDB09517F1CEFFB10BBEE5434891B3424D19A0B10A4674 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Purchase Order No.5817-0001142025.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 267655 |
| Entropy (8bit): | 1.2559804952290619 |
| Encrypted: | false |
| SSDEEP: | 768:HbUhrUe+zlum+LaFrAX40edupFSsZVfeTkVhbbCGx6+ZOoJrrSVlRM9k8rZgQWze:ICFg/VP97pb14sZg |
| MD5: | F6A4342C9271CFFEF29695EEA330941E |
| SHA1: | 291ABCFA507BA730832511E5F47EAA2CB4DFABBD |
| SHA-256: | 605B31C886C5989625152D1CD58BCACF2827DE36CC67B5D94D6B425955CEDBA6 |
| SHA-512: | D839DD8E3D74B7500F32318403BEAC3BA2DA83C48EF21555E78D368AA0404AC750DB1DD7EB8A7196DA32FBE3D880B66ED3166A39F17D8D0D13C9C4B19435530C |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Purchase Order No.5817-0001142025.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 327142 |
| Entropy (8bit): | 7.594926290050457 |
| Encrypted: | false |
| SSDEEP: | 6144:UYCRk+MRfSJsWwHbEOzckVBlBGlmSoDSjEDXg9i0C:jCRFMBOsWwHHzckVfAlmSDjY2nC |
| MD5: | D0130C4DCAAD741EDD5824614AD1E52E |
| SHA1: | 77E29B6A09852D8764293B8BFEB932E3C16BB9B0 |
| SHA-256: | A631F743E3FADFA3EF221EF3467E148B5ECB6925A0B286FA2AB0D404D9BB7038 |
| SHA-512: | 75D7537D0E8D489049413A21E0CCEC2FDAC5811CB1067E87F29C6EF24FDC551A03F495C783110751B69CAFE8CDEBC090C0FDDE76CE49DC429C7F01E9F27793FD |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.756588513846525 |
| TrID: |
|
| File name: | Purchase Order No.5817-0001142025.bat.exe |
| File size: | 617'221 bytes |
| MD5: | fb2be2965fb21d400341518012ad4867 |
| SHA1: | fda727494d927e9b5919ca2b32f71a1d479f540c |
| SHA256: | 93e42636e6f59d02d0a756054fdadc37644c1c32da55cda0185e7923a8e42126 |
| SHA512: | 4732a136c1e2e7e73f58296013a448edcb528e2c97e664d8ffc145ae471bb323dc6f75431e611d4a2eb6a1966ed39ac772a2afe8584063d1a531cefef870b89b |
| SSDEEP: | 12288:UnPdMy8JGFmatdgxcG0F3F/eKZIhMznQJSeufSfk:EPdMvJn0tfZsMzReSck |
| TLSH: | DCD4F1F6F150C27BE21F0E34EA7269F01984BC79D1E1443B4365BE99F472A61989B80F |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...g..d.................h..."..... |
 | |
| Icon Hash: | 4571753721719a8d |
| Entrypoint: | 0x403645 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x64A0DC67 [Sun Jul 2 02:09:43 2023 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 9dda1a1d1f8a1d13ae0297b47046b26e |
| Instruction |
|---|
| sub esp, 000003F8h |
| push ebp |
| push esi |
| push edi |
| push 00000020h |
| pop edi |
| xor ebp, ebp |
| push 00008001h |
| mov dword ptr [esp+20h], ebp |
| mov dword ptr [esp+18h], 0040A230h |
| mov dword ptr [esp+14h], ebp |
| call dword ptr [004080A0h] |
| mov esi, dword ptr [004080A4h] |
| lea eax, dword ptr [esp+34h] |
| push eax |
| mov dword ptr [esp+4Ch], ebp |
| mov dword ptr [esp+0000014Ch], ebp |
| mov dword ptr [esp+00000150h], ebp |
| mov dword ptr [esp+38h], 0000011Ch |
| call esi |
| test eax, eax |
| jne 00007FF2A119310Ah |
| lea eax, dword ptr [esp+34h] |
| mov dword ptr [esp+34h], 00000114h |
| push eax |
| call esi |
| mov ax, word ptr [esp+48h] |
| mov ecx, dword ptr [esp+62h] |
| sub ax, 00000053h |
| add ecx, FFFFFFD0h |
| neg ax |
| sbb eax, eax |
| mov byte ptr [esp+0000014Eh], 00000004h |
| not eax |
| and eax, ecx |
| mov word ptr [esp+00000148h], ax |
| cmp dword ptr [esp+38h], 0Ah |
| jnc 00007FF2A11930D8h |
| and word ptr [esp+42h], 0000h |
| mov eax, dword ptr [esp+40h] |
| movzx ecx, byte ptr [esp+3Ch] |
| mov dword ptr [00429B18h], eax |
| xor eax, eax |
| mov ah, byte ptr [esp+38h] |
| movzx eax, ax |
| or eax, ecx |
| xor ecx, ecx |
| mov ch, byte ptr [esp+00000148h] |
| movzx ecx, cx |
| shl eax, 10h |
| or eax, ecx |
| movzx ecx, byte ptr [esp+0000004Eh] |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x84fc | 0xa0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x4a000 | 0x18858 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2a8 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x66b7 | 0x6800 | e65344ac983813901119e185754ec24e | False | 0.6607196514423077 | data | 6.4378696011937135 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8000 | 0x1358 | 0x1400 | bd82d08a08da8783923a22b467699302 | False | 0.4431640625 | data | 5.103358601944578 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xa000 | 0x1fb78 | 0x600 | caa377d001cfc3215a3edff6d7702132 | False | 0.5091145833333334 | data | 4.126209888385862 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x2a000 | 0x20000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x4a000 | 0x18858 | 0x18a00 | 73bbe3fdd1585fbd610b24874590b455 | False | 0.22416322969543148 | data | 5.2980000367452575 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x4a418 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 67584 | English | United States | 0.14908908079971608 |
| RT_ICON | 0x5ac40 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.27520746887966807 |
| RT_ICON | 0x5d1e8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.3553001876172608 |
| RT_ICON | 0x5e290 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2688 | English | United States | 0.48667377398720685 |
| RT_ICON | 0x5f138 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.43934426229508194 |
| RT_ICON | 0x5fac0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | English | United States | 0.569043321299639 |
| RT_ICON | 0x60368 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 672 | English | United States | 0.5552995391705069 |
| RT_ICON | 0x60a30 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 1536 | English | United States | 0.18841463414634146 |
| RT_ICON | 0x61098 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | English | United States | 0.4869942196531792 |
| RT_ICON | 0x61600 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.598404255319149 |
| RT_ICON | 0x61a68 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | English | United States | 0.26344086021505375 |
| RT_ICON | 0x61d50 | 0x1e8 | Device independent bitmap graphic, 24 x 48 x 4, image size 384 | English | United States | 0.3094262295081967 |
| RT_ICON | 0x61f38 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | United States | 0.42905405405405406 |
| RT_DIALOG | 0x62060 | 0x100 | data | English | United States | 0.5234375 |
| RT_DIALOG | 0x62160 | 0x11c | data | English | United States | 0.6056338028169014 |
| RT_DIALOG | 0x62280 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0x622e0 | 0xbc | data | English | United States | 0.601063829787234 |
| RT_VERSION | 0x623a0 | 0x174 | data | English | United States | 0.5860215053763441 |
| RT_MANIFEST | 0x62518 | 0x33e | XML 1.0 document, ASCII text, with very long lines (830), with no line terminators | English | United States | 0.5542168674698795 |
| DLL | Import |
|---|---|
| ADVAPI32.dll | RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW |
| SHELL32.dll | SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW |
| ole32.dll | CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree |
| COMCTL32.dll | ImageList_Destroy, ImageList_AddMasked, ImageList_Create |
| USER32.dll | MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics |
| GDI32.dll | GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor |
| KERNEL32.dll | RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, WriteFile, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, CopyFileW |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-16T05:12:00.888974+0100 | 2803270 | ETPRO MALWARE Common Downloader Header Pattern UHCa | 2 | 192.168.2.5 | 49974 | 109.99.162.14 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 16, 2025 05:11:59.625569105 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:11:59.625617027 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:11:59.625684023 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:11:59.641050100 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:11:59.641068935 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:00.599092007 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:00.599241018 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:00.652689934 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:00.652719975 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:00.653734922 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:00.653827906 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:00.655913115 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:00.699354887 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:00.889029980 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:00.889103889 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:00.889172077 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:00.889189959 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:00.891263008 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.008630991 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.008742094 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.009260893 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.009336948 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.010045052 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.010109901 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.011660099 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.011728048 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.129297018 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.129424095 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.129426956 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.129462004 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.129587889 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.129946947 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.129988909 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.130000114 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.130011082 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.130039930 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.130768061 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.130826950 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.131453991 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.131517887 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.132311106 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.132376909 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.133269072 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.133338928 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.249109030 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.249236107 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.249269009 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.249444962 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.249650955 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.249718904 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.250129938 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.250190973 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.250446081 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.250509024 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.251002073 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.251076937 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.251534939 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.251604080 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.251842022 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.251904964 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.252299070 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.252362967 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.252819061 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.252892971 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.253243923 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.253315926 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.253829956 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.253892899 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.254201889 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.254281044 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.341835976 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.341958046 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.341983080 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.342055082 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.369545937 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.369682074 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.369683981 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.369716883 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.369894028 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.369894028 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.370018005 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.370085001 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.370532036 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.370603085 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.370660067 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.370726109 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.371100903 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.371165037 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.374448061 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.374516964 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.374650002 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.374711990 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.374922991 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.374996901 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.375283957 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.375350952 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.375627041 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.375695944 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.376055002 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.376118898 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.376167059 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.376235008 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.376271963 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.376337051 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.376832962 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.376902103 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.434391975 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.434498072 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.434525967 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.434601068 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.461791992 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.461890936 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.461913109 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.461977005 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.462282896 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.462344885 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.462845087 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.462937117 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.463120937 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.463190079 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.463464975 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.463526011 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.463929892 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.463996887 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.464071035 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.464133024 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.464855909 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.464926004 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.465075016 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.465136051 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.465188980 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.465257883 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.465945959 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.466006994 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.489490986 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.489561081 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.489809990 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.489869118 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.526647091 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.526732922 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.526793957 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.526853085 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.527067900 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.527118921 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.554183960 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.554265976 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.554280996 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.554364920 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.554371119 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.554385900 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.554392099 CET | 443 | 49974 | 109.99.162.14 | 192.168.2.5 |
| Jan 16, 2025 05:12:01.554409981 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.554436922 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Jan 16, 2025 05:12:01.554455996 CET | 49974 | 443 | 192.168.2.5 | 109.99.162.14 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 16, 2025 05:11:59.540719986 CET | 63156 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 16, 2025 05:11:59.614238977 CET | 53 | 63156 | 1.1.1.1 | 192.168.2.5 |
| Jan 16, 2025 05:12:04.091784954 CET | 56577 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 16, 2025 05:12:04.100687981 CET | 53 | 56577 | 1.1.1.1 | 192.168.2.5 |
| Jan 16, 2025 05:12:04.109869957 CET | 59059 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 16, 2025 05:12:04.117865086 CET | 53 | 59059 | 1.1.1.1 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jan 16, 2025 05:11:59.540719986 CET | 192.168.2.5 | 1.1.1.1 | 0xf804 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 16, 2025 05:12:04.091784954 CET | 192.168.2.5 | 1.1.1.1 | 0xbe59 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 16, 2025 05:12:04.109869957 CET | 192.168.2.5 | 1.1.1.1 | 0xbdfe | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 16, 2025 05:11:59.614238977 CET | 1.1.1.1 | 192.168.2.5 | 0xf804 | No error (0) | 109.99.162.14 | A (IP address) | IN (0x0001) | false | ||
| Jan 16, 2025 05:12:04.100687981 CET | 1.1.1.1 | 192.168.2.5 | 0xbe59 | No error (0) | 0.0.0.0 | A (IP address) | IN (0x0001) | false | ||
| Jan 16, 2025 05:12:04.117865086 CET | 1.1.1.1 | 192.168.2.5 | 0xbdfe | No error (0) | 0.0.0.0 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49974 | 109.99.162.14 | 443 | 6720 | C:\Users\user\Desktop\Purchase Order No.5817-0001142025.bat.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-16 04:12:00 UTC | 173 | OUT | |
| 2025-01-16 04:12:00 UTC | 223 | IN | |
| 2025-01-16 04:12:00 UTC | 7969 | IN | |
| 2025-01-16 04:12:01 UTC | 8000 | IN | |
| 2025-01-16 04:12:01 UTC | 8000 | IN | |
| 2025-01-16 04:12:01 UTC | 8000 | IN | |
| 2025-01-16 04:12:01 UTC | 8000 | IN | |
| 2025-01-16 04:12:01 UTC | 8000 | IN | |
| 2025-01-16 04:12:01 UTC | 8000 | IN | |
| 2025-01-16 04:12:01 UTC | 8000 | IN | |
| 2025-01-16 04:12:01 UTC | 8000 | IN | |
| 2025-01-16 04:12:01 UTC | 8000 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 23:10:04 |
| Start date: | 15/01/2025 |
| Path: | C:\Users\user\Desktop\Purchase Order No.5817-0001142025.bat.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 617'221 bytes |
| MD5 hash: | FB2BE2965FB21D400341518012AD4867 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 23:11:46 |
| Start date: | 15/01/2025 |
| Path: | C:\Users\user\Desktop\Purchase Order No.5817-0001142025.bat.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 617'221 bytes |
| MD5 hash: | FB2BE2965FB21D400341518012AD4867 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 15.7% |
| Dynamic/Decrypted Code Coverage: | 13.4% |
| Signature Coverage: | 15.8% |
| Total number of Nodes: | 1613 |
| Total number of Limit Nodes: | 33 |
Graph
Function 00403645 Relevance: 88.0, APIs: 32, Strings: 18, Instructions: 464stringfilecomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D8E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406DA0 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403D54 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004030D5 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 204memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004066BF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406A06 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004020DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004071D5 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004073D6 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004070EC Relevance: 5.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406BF1 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040703F Relevance: 5.2, APIs: 4, Instructions: 180COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040715D Relevance: 5.2, APIs: 4, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004070A9 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040347E Relevance: 4.6, APIs: 3, Instructions: 101COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403376 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405BD6 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405C65 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406172 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405C30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402896 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004023B7 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406224 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004061F5 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6FBB2A7F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004023F9 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004035FD Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6FBB2B98 Relevance: 1.4, APIs: 1, Instructions: 143COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401FA9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6FBB12BB Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405846 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404AF2 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 275stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6FBB1BFF Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040506E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404102 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004047C0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004062C8 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404668 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404FBC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402F98 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6FBB2655 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404EAE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6FBB1979 Relevance: 7.7, APIs: 5, Instructions: 194COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6FBB2480 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401E53 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6FBB16BD Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405F51 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6FBB10E1 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401BA0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 72memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402643 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406059 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040567B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405F9D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004060D7 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|